Incidents
More /sumthin, maybe Feb 03 2003 08:52AM
Sverre H. Huseby (shh thathost com) (1 replies)
Re: More /sumthin Feb 26 2003 02:23PM
Philipp Hug (securityfocus hugit ch) (1 replies)
I found the root of all evil ;-)

the /sumthin tool is attached. I got it from an "owned" server.

Philipp
----- Original Message -----
From: "Sverre H. Huseby" <shh (at) thathost (dot) com [email concealed]>
To: <incidents (at) securityfocus (dot) com [email concealed]>
Sent: Monday, February 03, 2003 9:52 AM
Subject: More /sumthin, maybe

> I got a couple of E-mails from a guy that _may_ have more info on the
> /sumthin case. One of his servers was "owned", and he _thinks_ the
> /sumthin request was the start of the attack. His E-mails follow:
>
> ==================================================================
>
> I got hit with the same thing. /sumthin is exactly what everyone
> thinks it is - a probe. Someone used my version info to exploit a
> bug in SSL. I still don't know what the bugs are yet, but it's
> really evident. From there, he looged in as my webserver, and
> totally F$%^&D my server. He set up some kind of irc server, and
> compromised so much of my server I'm having to rebuild from the
> ground up. He redirected the root .bash_history to /dev/nul and
> redirected the mail logs and he set up an account called tcp so he
> could log in through ssh. Most of the services were shut down
> (that's how I figured something was up - I couldn't get my mail).
>
> even though he did wipe the root history, he forgot to wipe
> wwwrun's history, it's too long to post, but it will be up for a
> short while at http://XXX [Sverre sais: URL removed. log file
> attached.]
>
> He also replaced bash and set the default runlevel to halt, so
> when I restarted the system just stopped (what a pisser).
>
> When I went back and grepped all the logs, the /sumthin only shows
> up in the logs of one domain (despite the fact we host around [N])
> and starts sometime around mid October as everyone else has
> noticed.
>
> ==================================================================
>
> I found things like this in /tmp and /var/tmp:
>
> drwxr-xr-x 3 wwwrun nogroup 153 Jan 26 04:10 a
> -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz
> -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.1
> -rw-r--r-- 1 wwwrun nogroup 14138 Jan 4 20:32 a.tgz.2
> -rwxr-xr-x 1 wwwrun nogroup 19577 Nov 28 15:55 alarmd
> drwxr-xr-x 5 wwwrun nogroup 635 Dec 22 17:00 orbit-root
> drwxr-xr-x 9 wwwrun nogroup 553 Jan 12 09:52 psybnc
> -rw-r--r-- 1 wwwrun nogroup 596571 Oct 17 23:19 psybnc.tar.gz
>
> after that I did a find / -user wwwrun and found a bunch of stuff
> and then discovered several other uids involved.
>
> ==================================================================
>
> The attached shell history file shows what appears to be a manual
> attacker downloading and installing several files using wget. Some of
> the files are no longer available, but the few I managed to download
> seem to be either related to IRC (server and bot), or to Linux local
> exploits. (I only spent a couple of minutes downloading and glancing
> at the files.)
>
>
> Sverre.
>
> --
> shh (at) thathost (dot) com [email concealed] Computer Geek? Try my Nerd Quiz
> http://shh.thathost.com/ http://nerdquiz.thathost.com/
>

------------------------------------------------------------------------
----
----

> ------------------------------------------------------------------------
--
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

[ reply ]
RE: More /sumthin Feb 26 2003 09:14PM
Jonathan A. Zdziarski (jonathan networkdweebs com) (1 replies)
Re: More /sumthin Feb 27 2003 12:59AM
D.C. van Moolenbroek (dc van moolenbroek chello nl)


 

Privacy Statement
Copyright 2010, SecurityFocus